Security Audit Tool

https://www.phpbb.com/ideas/
Post Reply
Earl Boebert
Registered User
Posts: 2
Joined: Sun Oct 18, 2020 9:02 pm

Security Audit Tool

Post by Earl Boebert »

Old-timey security guy here. I recently had the "pleasure" of moving and tightening down a phpBB installation that had suffered a major intrusion. The intruder gained access through a configuration error on the part of the previous admin, who was no dummy. This was my first experience with your code.

So after some time spent on the the cycle "How do I do X? -> search support forum -> find the switch to set and set it" I saw how my predecessor could have overlooked a critical setting. There's a lot of security-related settings and they don't stand out from the other stuff.

It occurred to me that a simple, questionnaire-based audit tool could have been a big help. I'm thing of something that goes through your configuration and displays the consequences of that configuration in simple terms, e.g. :

"You are configured to allow search bots to index your forum. Do you want to do this? Y/N"

Click "N" and you get a sentence that tells you how to turn that off.

Maybe there's something out there already and I just didn't find it. In which case I suggest notifying people of its existence be part of the install/upgrade cycle.

Just a suggestion. Could have saved a bunch of people a lot of time and trouble.

Cheers,

Earl
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 4257
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Security Audit Tool

Post by thecoalman »

You can report bug and security issues here:

http://tracker.phpbb.com/

Note that something like permissions settings which may be difficult to understand would not be considered a bug unless it's plainly a bug.

"You are configured to allow search bots to index your forum. Do you want to do this? Y/N"
Most people are going to have a mix of forums they will want to configure forums for bot access. Let me give you an example of one configuration I had,

Private admin/moderator forums >> No bot access obviously.
On topic forums >> Access for bots
Off topic forums >> I didn't want them indexed, no access for bots. However they were fully accessible to guests and at the time I was running Google ads so I created additional group for ad bot to give it access.
Private forum behind login where only members from open group had access >> Same as above with the ad bot.**** Note that someone could access this forum by spoofing UA so you wouldn't do this if you needed it completely private.

Last but not least I have another group that gives bots and guests access to files only. e.g. someone posts image in a private forum and then links to it in public forum they can view it. Once again this type of configuration is not something you would do if you wanted to keep it completely private.

phpBB permissions can be difficult to understand and there has been complaints even before the official release of 3.0.0 in 2007. They are basically configured the same since. I don't know if there is better way to handle them that can maintain the flexibility they have.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Earl Boebert
Registered User
Posts: 2
Joined: Sun Oct 18, 2020 9:02 pm

Re: Security Audit Tool

Post by Earl Boebert »

In no sense was the experience the result of a flaw in the software. The admin made a mistake, pure and simple. However, I am a strong believer in Levenson's Law that "Human error is a symptom, not a cause." The admin interface is too complex for ordinary mortals.

One cure would be to reduce the number of options and therefore the complexity of the interface. That is clearly impractical.

The alternate approach would be to have a tool that tells ordinary mortals in ordinary mortal language the implications of what they have done. That is what I have suggested. I have used this approach in other environments with some success. I think it would be a valuable enhancement to your system.
User avatar
Random American
Registered User
Posts: 186
Joined: Sat Aug 10, 2019 4:45 am
Location: Somewhere in the Southern USA.

Re: Security Audit Tool

Post by Random American »

Earl Boebert wrote:
Sun Oct 18, 2020 9:24 pm
"You are configured to allow search bots to index your forum. Do you want to do this? Y/N"

Click "N" and you get a sentence that tells you how to turn that off.
If that is set up on a per forum basis, I think it could work. Like thecoalman said, some forums should probably be set up to be indexed, while others shouldn't for obvious reasons. Permissions will differ from forum to forum.
I'm just a regular member of the phpBB Community. I do NOT represent phpBB.com in any capacity and my opinions are solely my own.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 4257
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Security Audit Tool

Post by thecoalman »

Earl Boebert wrote:
Mon Oct 19, 2020 6:49 pm
One cure would be to reduce the number of options and therefore the complexity of the interface. That is clearly impractical.
As far permissions go once again not I'm disagreeing, they can be complex but any change that would remove the flexibility they currently have would be disagreeable to me. If anything I want more options.
The alternate approach would be to have a tool that tells ordinary mortals in ordinary mortal language the implications of what they have done. That is what I have suggested. I have used this approach in other environments with some success. I think it would be a valuable enhancement to your system.
I'm not saying it's a bad idea but I don't see how you go about doing that especially where the permissions are concerned. There is documentation for this and I'm guessing 99.9% never read it. On that note while not exactly what you asking for on the permissions page in the lower left is permission masks that can give you better overview of permissions.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
david63
Registered User
Posts: 18612
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: Security Audit Tool

Post by david63 »

This is along the lines of this idea - viewtopic.php?f=436&t=2462281
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
User avatar
Mick
Support Team Member
Support Team Member
Posts: 22919
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket probably.

Re: Security Audit Tool

Post by Mick »

Earl Boebert wrote:
Mon Oct 19, 2020 6:49 pm
One cure would be to reduce the number of options
The ‘complexity’ of phpBB permissions is, more or less, user driven. Since 3.0.x there have been many additions and changes because of user requests so trimming those now will probably upset those who have campaigned for the changes. Also, the permissions and changes are all there for good reason. I’m wondering why you consider search bots a security risk.
"The more connected we get the more alone we become" - Kyle Broflovski©
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 4257
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Security Audit Tool

Post by thecoalman »

Mick wrote:
Tue Oct 20, 2020 8:15 am
I’m wondering why you consider search bots a security risk.
What he said was "The intruder gained access through a configuration error on the part of the previous admin". It's easy to make a mistake like that if you are unfamiliar how permissions are set and what their limitations are.

Quick tip, easiest way to avoid permission errors is never add the group to forum to begin with. If for example you have private forum for moderator and admins:

Permissions tab >> Forum Permissions >> Select the forum(s)

Image

Any group that is not included has no permissions.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
warmweer
Jr. Extension Validator
Posts: 5883
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium

Re: Security Audit Tool

Post by warmweer »

IMHO, an extra security tool with that kind of question won't solve the "problem" as the info given will point to the permission settings.
When something permission related doesn't function as expected, the easiest way to find out what the cause (of the problem) is ... is the permission tracing/mask.
That will show you the user/group/forum permissions and how the cumulative permission is "calculated".
see Permission Masks
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.
Post Reply

Return to “phpBB Ideas”